I have to say, this may end up turning out as a blessing in disguise. It's bad enough that most people have to deal with spam, but when you can effectively completely fuck a businesses telephony over anonymously and with little trouble, you'll end up seeing legislation. I guarentee you that.

So long as enough people are responding to spam to make it profitable, if you build it they will spam it.

I don't think that's how it works. I don't think anyone responds to your typical spam; rather, they harvest working emails and sell those to less-than-scrupulous companies. That's where the real profits are, so it doesn't matter if people respond or not.

The response rates for spam mails are extremely low, but it's still more profitable than "traditional" commercials and ads, which means you get the same amount of customers with less investments. AFAICR, there's been a study about that about a year ago, but I can't find any link or reference anymore...:-/

And I think it works like this: the spammers sell spamming services to companies who think spam is a good way to sell services. As long as the spammers can sell services to somebody (even if doesn't work very well), there will be spam.

Hint to spammers: You don't actually have to send out the spam, just say you do and pocket the money. Everyone will be happier. (Including your clients who mostly get a blackeye and aggrevation out of your services.)

I was wondering what the case would be like if you were to pounce on the issue before it came common. Like the correlation of mail spam to email spam was difficult with the introduction to computers and the unsavvyness of of its users would IP phone be different with people ready? I'm thinking how nations all over the world will be embracing this, will a significant increase in participation make it more unlikely to occur if we are made aware of the implications.

Traffic limiting. ISPs can restrict the number of SMTP messages a host can send per day or hour.

Many of these techniques can be adapted to VoIP systems. I am surprised that SER [iptel.org] and Asterisk [asterisk.org] do not already support DNSBLs -- even if there is no call for them yet, we will certainly need published lists of abusive hosts or networks within a few years.

The flexibility with which one can express access restrictions is an important part of any system's security. My workplace is just starting a VoIP deployment. I want to be able to say things like:

No single outside host may make calls to more than 50 different destinations in a day.

No host may send more than ten pending SIP invites at any time. (Prevent predictive dialing!)

No host may send SIP IMs to more than 20 addresses in the same minute.

After an inbound call is completed, the recipient can dial *666 on our Asterisk PBX to report it as an abusive call. If five different addresses report abusive calls from the same originator, that originator is flagged and blocked for 24 hours.

it doesn't need to really be profitable, just appear so. or just give you a feeling that you're reaching tons of people. some people just like that you know.

for example there's this italian jackass with a website with a bunch of pictures of him.. and he's running a fucking spambot on ircnet to advertise it. zero profit or anything for him, except maybe some people see pics of him, basically the guy is just being a fucking asshole.

Counterfeiters used to be executed, not because counterfeiting coin was so heinous a crime, but because the crown knew that if the public lost confidence in the currency the entire economic system would collapse. In the same vein, sentencing guidelines on crack-cocaine (a "black" drug) are so much higher than those for cocaine (a "white" drug) not because using crack was so much more heinous an offense than using coke, but because of the crippling death hold crack had on inner city black neighborhoods. It

From what I've read, blind people are more impacted by plain ol' email spam than anyone. It takes a lot more time for them to listen for a screen reader start reciting off the latest anatomical enlargement offer than it does for a sighted person from scanning the text and just hitting "delete."

At least with this one type of spam I know that the spammer is paying big bugs in bandwith to make it work. Just maybe we'll be lucky and it will turn out that voip spam isn't profitable and we will be free of it.

At least with this one type of spam I know that the spammer is paying big bugs in bandwith to make it work.

Hold yer horses there Mr Rose-Colored Glasses: Spamers aren't exactly known for their ethical consuption of paid-for-out-of-pocket bandwidth. I'm sure it would be trivial to turn zombied computers into SPIT-bots.

Hmm, that may be true in the short term, but think long term. One could also say that the operating costs prevented conventional telephones from become uber-spamming machines. However, the telephone is evolving and that is no longer true. Bandwidth prices will simply continue to drop. The day will come where a VoIP call will be as insignificant as an email in cost.

I don't see the same people that respond to spam, as the same people using telephoney. I will predict that the profit margin to people that respond will be too low to make this worthwhile until VOIP becomes more mainstream like email. (I can dream can't I)

Hello! We have some wonderful Costa Rican Properties for sale. For more info, please visit wearetryingtoripyouoff.info. Or, if you are lacking in a certian area, you can receive generic drugs from us directly. Just go to the same site. (In a fast, hurried tone) To remove yourself from out call list, please call the following number: 8003287448 Thank you!

First, today's spam has a link that says "http://somelegitsite.com", but the href is "http://1.2.3.4/uniqueID" to make you think you're going to a legit site, but really sending you elsewhere. Hard to do with voice contact, or, rather, audio contact.

Second, they would never use a toll-free number. That would not only cost them money rather than you, but be easily traceable. For those who don't mind the traceability, it'll be a 900 number.

Given that corporations are the biggest users of VoIP right now, and given that it takes a burning-bush level miracle to get in touch with a human person at most large corps, I imagine most of this will be computerized voices yammering at each other for minutes on end. "Thank you for calling Bank of America." A: "Free trial of Viagra, no commitments" B: "For information about your account, press one now."

He adds that viruses are also possible with VoIP. A virus sent to phones could be used to launch more spit or to bring together thousands of VoIP systems to launch denial-of-service attacks.

Yeah, right, 'cause we always execute our voice mail messages!

Also, how is spamming voice mail via VoIP any different than just calling everybody up POTS?!? This article sounds more like another company trying to promote their "solution in search of a problem." Here's a hint: if spammers spoof their caller id and figure out how to insert random variations in the outgoing messages, this system isn't going to work anyway!

Yes, and HTML includes 1) a very flexible language (javascript), 2) a homogenous vnedor whose express intent is to blur the lines between local and remote content, and 3) a less educated user population who just wants to see cool new stuff.

Umm, anything connected to the 'net can be 0wned. One malformed IPX packet to a Cisco router and you can 0wn it. It's really that easy. I imagine there will be fuckups with VoIP phones, and they will be vulnerable. Where's djb-voip when we need it...

Microsoft will provide SIP support on PCs with Windows XP and Windows Messenger, on smart devices with Windows CE 4.0, on the server with Windows Server 2003 and in other embedded devices with Windows XP Embedded, enabling unprecedented levels of interoperability for essentially any type of communications on essentially any device.

Alas, this is not so far-fetched, as the buffer overflow exploits in JPEG decoders illustrates.

Voice will almost certainly not be sent as plain DAC samples, but in some compressed form (MP3, Vorbis, Speex, etc.) requiring decoding in software. If your codec is not bulletproof, then a mailiciously-formed compressed audio stream could conceivably exploit the hole and take over your machine.

You are right to sound the BS alarm - this is pure BS, for a few reasons.

Disclaimer/Clarifier: I install/configure/troubleshoot VoIP and IP telephony for a living (Cisco's version). I do it all day everyday - this is one of the few slashdot stories I am qualified to post about. So indulge me:

First - almost all residential VoIP customers still are using analog phones. You plug your analog phone into a device that converts analog signal to IP. So you can't fubar an analog phone with a virus or send spam to

Plain-old telephones are already "spammed" more than most people like (except where legislation steps in, of course, since, as you mentinoed, it's much easier to track down the sender when they use telephony)

One of the touted benefits of VoIP is its reduced cost. Which means increased marketing profits. Which means more telemarketing on your VoIP phone than your POTS phone.

It may be over the internet, but at least vocal spam already has precedents in 'do not call lists' and such. I figure the more popular VoIP becomes, the faster this crap will get squshed. It won't take the decades phone spam legistlation took to enact. Everybody is taking a good, hard look at how to crush unwanted solicitations in every form these days.

As the world becomes more and more connected and integrated, I find myself becoming more disconnected. Yes, I have my broadband connection and cell phone, but I can, and do, turn them off when I want to. The increased sense of urgency in the world of having to do everything by yesterday has only encouraged me to turn my electronics off. And its not like the world's going to end if you can't see the latest version of last nights sports scores, your friend can't call you a l00z3r on IM, or check the latest duplicate on/.; although maybe for some [slashdot.org], it would.

As for spit, I really don't plan on getting VoIP anytime soon as I'm satisfied by my POTS landline. Do I have to pay taxes on it, yes; so what? We pay taxes on everything, including VoIP indirectly. You might not have taxes on VoIP, yet, but I'll bet there are taxes and surcharges on your Cable/DSL bill. The article itself does not have much content past the rhetorical comments regarding growth and registries. And the moment that I get a virus on my telephone is the moment I dig out an old beige mechanical AT&T phone. Seriously, how many features does your household phone need? Caller ID, sure; Call Waiting, nah, if its important, they'll call back; voicemail, get an answering machine and save $5/mo.; etc.

Take a deep breath people and realize that humans and our respected cultures have existed for thousands of years and by turning your electronic toys, at least for a few minutes, you might find peaceful relaxation or learn something that does not have power requirement.

But what do I know, it seems the Slashdot audience lives behind the glow rather than under the sun, so I may be preaching to the wrong crowd. --Amigori

Fortunately, VoIP is young enough such that they could modify the protocols to nip this in the bud.

Cryptographic solutions would probably be the first place to look. For example, suppose my phone will only look at incoming connections which are begun with some certificate signed by the VoIP service provider (Vonage, Skype, whatever). So, in order to be able to call me, your phone first contacts the provider, requests a certificate to connect to me, and the provider gives that to the phone, and then their phone uses that as credentials to get my phone to not ignore it. Then, all the service provider has to do is watch out for excessive numbers of connections coming from one customer.

I wouldn't be surprised in the least if this isn't already built into the VoIP systems. After all, we've been trying for some time now to move email into the domain of cryptographic authentication (SPF is just an intermediate fix) to stop spam. So, we've known for a while that this is "the way to do it right", and we also know from the way e-mail is going that it's a major pain to try to change the system to use it after the system is already in place. So, I'd expect that they might already have this capability.

So, in order to be able to call me, your phone first contacts the provider, requests a certificate to connect to me, and the provider gives that to the phone, and then their phone uses that as credentials to get my phone to not ignore it.

Why not have a whitelist based on a web of trust like gpg has? Or does it already exist? I don't use VoIP, so I'm not really sure.

For starters, this is a fluff piece about a company that has just applied for a patent on this "technology". Of course, it's in their best interest for this to be a problem.

Unfortunately, I don't see how this problem is going to affect me when my ATA only accepts directives from VoicePulse, Vonage, Broadvoice or whoever's switch to which I'm buying service. Worse, it sits behind a router so there's NFW the ATA is going to even see packets that are not "new, established or related" (iptable speak).

Perhaps the author hasn't effectively communicated how this technology works, or maybe the company isn't divulging how it works, or maybe the have a great solution looking for a problem.

This would be telemarketting with NONE of the regulations....Or maybe ALL of the regulations. It all depends on how the corts see it when someone desides to sue over it.

Spammers have said "Spam is just like other forms of marketting" putting on some fake eco-friendly face on spam with domain names like "SaveTrees" etc.But Spam was never regulated and the other forms of "direct marketting" are.

Voice over IP or Telephony is basicly the Internet answer to the telephone but there are some major diffrences.

***Here we have one... Voice over IP Telemarketting isn't regulated.There are rules and regulations as to whom you can call with telemarketting and how you may obtain a phone number. VoIP has no such rules.***

however.. sometimes the existing laws apply, regardless of if you're using a new technology to make the 'call'.

(like with a lot of things.. just because it's "on the internet" doesnt make it legal because there's no law that says specifially "on the internet...")

"Spam" (telemarketing) over certain VoIP services might be a problem, yes. I'd say that those ripe for the picking would include such things as Free World Dialup and Skype.

But I really, really don't see how services like Vonage, Packet8, Broadvoice, Broadvox, Primus/Lingo, etc. can fall victim to this type of thing, because they are inherently different from the FWD and Skype-alikes in that you pay for the service, have tie-ins to the POTS network, and are assigned a real POTS-addressable phone number. T

I'm just reaching here, IANAL and all. But as far as I can tell from a quick search nobody has attacked SPAM on the basis of Disturbing the Peace. Every community enforces rules about annoying other people. In most cases I think it's pretty vague, based on the level of annoyance and on how abnormal the offending behavior is deemed. Running a gas powered lawn mower on Saturday afternoon is normal, but running it continuously for 12 hours a day 7 days a week might be considered disturbing the peace. Sending email is normal, but maybe sending a million emails an hour is disturbing the peace.

So have a whitelist; every successful call gets put on the whitelist. Actually, my POTS company (SBC Ameritech) did this, minus the whitelist... sucked since some relatives in Florida had Caller ID blocked.